{{- if .Values.externalSecrets.enabled }}
{{- if .Values.externalSecrets.openbao.mountPath }}
{{- if .Values.tenant.id }}
# s3-backup-creds — per-tenant S3 backup credentials consumed by the
# instance-template-v3 backup-cronjob (env: AWS_ACCESS_KEY_ID +
# AWS_SECRET_ACCESS_KEY). Source: v3/tenants/<id>/s3-credentials in
# OpenBao with fields access_key + secret_key. Lives in the `tenants`
# namespace where the per-instance backup CronJobs run.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: s3-backup-creds
  namespace: tenants
  labels:
    app.kubernetes.io/managed-by: cluster-platform-v3
    odoosky.io/tenant: {{ .Values.tenant.id | quote }}
spec:
  refreshInterval: "1h"
  secretStoreRef:
    name: openbao-platform
    kind: ClusterSecretStore
  target:
    name: s3-backup-creds
    creationPolicy: Owner
    deletionPolicy: Retain
    template:
      type: Opaque
      engineVersion: v2
      data:
        AWS_ACCESS_KEY_ID: "{{ `{{ .access_key }}` }}"
        AWS_SECRET_ACCESS_KEY: "{{ `{{ .secret_key }}` }}"
  data:
    - secretKey: access_key
      remoteRef:
        key: tenants/{{ .Values.tenant.id }}/s3-credentials
        property: access_key
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
    - secretKey: secret_key
      remoteRef:
        key: tenants/{{ .Values.tenant.id }}/s3-credentials
        property: secret_key
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
{{- end }}
{{- end }}
{{- end }}